In this article by Srinivasa Rao Kotipalli and Mohammed A. Imran, authors of Hacking Android, we will discuss Android security, which is one of the most prominent emerging topics today. Attacks on mobile devices can be categorized into various categories, such as exploiting vulnerabilities in the kernel, attacking vulnerable apps, tricking users to download and run malware and thus stealing personal data from the device, and running misconfigured services on the device. OWASP has also released the Mobile top 10 list, helping the community better understand mobile security as a whole. Although it is hard to cover a lot in a single article, let’s look at an interesting topic: the the runtime manipulation of Android applications. Runtime manipulation is controlling application flow at runtime. There are multiple tools and techniques out there to perform runtime manipulation on Android. This article discusses using the Xposed framework to hook onto Android apps.

(For more resources related to this topic, see here.)

Let’s begin!

Xposed is a framework that enables developers to write custom modules for hooking onto Android apps and thus modifying their flow at runtime. It was released by rovo89 in 2012. It works by placing the app_process binary in /system/bin/ directory, replacing the original app_process binary. app_process is the binary responsible for starting the zygote process. Basically, when an Android phone is booted, init runs /system/bin/app_process and gives the resulting process the name Zygote. We can hook onto any process that is forked from the Zygote process using the Xposed framework.

To demonstrate the capabilities of Xposed framework, I have developed a custom vulnerable application.

The package name of the vulnerable app is com.androidpentesting.hackingandroidvulnapp1.

The code in the following screenshot shows how the vulnerable application works:

This code has a method, setOutput, that is called when the button is clicked. When setOutput is called, the value of i is passed to it as an argument. If you notice, the value of i is initialized to 0. Inside the setOutput function, there is a check to see whether the value of i is equal to 1. If it is, this application will display the text Cracked. But since the initialized value is 0, this app always displays the text You cant crack it.

Running the application in an emulator looks like this:

Now, our goal is to write an Xposed module to modify the functionality of this app at runtime and thus printing the text Cracked.

First, download and install the Xposed APK file in your emulator. Xposed can be downloaded from the following link:

http://dl-xda.xposed.info/modules/de.robv.android.xposed.installer_v32_de4f0d.apk

Install this downloaded APK file using the following command:

adb install [file name].apk

Once you’ve installed this app, launch it, and you should see the following screen:

At this stage, make sure that you have everything set up before you proceed. Once you are done with the setup, navigate to the Modules tab, where we can see all the installed Xposed modules. The following figure shows that we currently don’t have any modules installed:

We will now create a new module to achieve the goal of printing the text Cracked in the target application shown earlier. We use Android Studio to develop this custom module.

Here is the step-by-step procedure to simplify the process:

1. The first step is to create a new project in Android Studio by choosing the Add No Actvity option, as shown in the following screenshot. I named it XposedModule.

   

2. The next step is to add the XposedBridgeAPI library so that we can use Xposed-specific methods within the module. Download the library from the following link:

   http://forum.xda-developers.com/attachment.php?attachmentid=2748878&d=1400342298

3. Create a folder called provided within the app directory and place this library inside the provided directory.

4. Now, create a folder called assets inside the app/src/main/ directory, and create a new file called xposed_init.We will add contents to this file in a later step.After completing the first 3 steps, our project directory structure should look like this:

   

5. Now, open the build.gradle file under the app folder, and add the following line under the dependencies section:

   provided files('provided/[file name of the Xposed 
     library.jar]')

   In my case, it looks like this:

   

6. Create a new class and name it XposedClass, as shown here:

   

7. After you’re done creating a new class, the project structure should look as shown in the following screenshot:

   

8. Now, open the xposed_init file that we created earlier, and place the following content in it.

   com.androidpentesting.xposedmodule.XposedClass

   This looks like the following screenshot:

   

9. Now, let’s provide some information about the module by adding the following content to AndroidManifest.xml:

   <meta-data
   
   android_name="xposedmodule"
   
   android_value="true" />
   
    
   
   <meta-data
   
   android_name="xposeddescription"
   
   android_value="xposed module to bypass the validation" />
   
    
   
    
   
   <meta-data
   
   android_name="xposedminversion"
   
   android_value="54" />

10. Make sure that you add this content to the application section as shown here:

    

11. Finally, write the actual code within in the XposedClass to add a hook.

12. Here is the piece of code that actually bypasses the validation being done in the target application:

    

Here’s what we have done in the previous code:

• Firstly, our class is implementing IXposedHookLoadPackage
• We wrote the method implementation for the handleLoadPackage method—this is mandatory when we implement IXposedHookLoadPackage
• We set up the string values for classToHook and functionToHook
• An if condition is written to see whether the package name equals the target package name
• If package name matches, execute the custom code provided inside beforeHookedMethod
• Within the beforeHookedMethod, we are setting the value of i to 1 and thus when this button is clicked, the value of i will be considered as 1, and the text Cracked will be displayed as a toast message

Compile and run this application just like any other Android app, and then check the Modules section of Xposed application. You should see a new module with the name XposedModule, as shown here:

Select the module and reboot the emulator.

Once the emulator has restarted, run the target application and click on the Crack Me button.

As you can see in the screenshot, we have modified the application’s functionality at runtime without actually modifying its original code.

We can also see the logs by tapping on the Logs section.

You can observe the XposedBridge.log method in the source code shown previously. This is the method used to log the following data shown:

Summary

Xposed without a doubt is one of the best frameworks available out there. Understanding frameworks such as Xposed is essential to understanding Android application security. This article demonstrated the capabilities of the Xposed framework to manipulate the apps at runtime. A lot of other interesting things can be done using Xposed, such as bypassing root detection and SSL pinning.

Further resources on this subject:

• Speeding up Gradle builds for Android [article]
• https://www.packtpub.com/books/content/incident-response-and-live-analysis [article]
• Mobile Forensics [article]